Uninstall Carbon Black sensor from Windows fails

Uninstall Carbon Black sensor from Windows fails

Version

Cb 5.0.0 or higher

Bit9 v 7.2.0 or higher

Issue

Unable to successfully uninstall the Carbon Black sensor from a Windows host.

Symptoms

After uninstall - Sensor.LOG

2015-04-14 08:24:41: Attempting self-uninstall...

2015-04-14 08:24:41: Entering self-uninstall...

2015-04-14 08:24:41: OpenService call on CarbonBlackK

2015-04-14 08:24:41: Querying service configuration

2015-04-14 08:24:41: Deleting file \??\C:\Windows\system32\drivers\cbk7.sys

2015-04-14 08:24:41: File Deleted Successfully

2015-04-14 08:24:41: Deleting Service

2015-04-14 08:24:41: Uninstall completed successfully

2015-04-14 08:24:41: Uninstalled core driver

2015-04-14 08:24:41: OpenService call on cbstream

2015-04-14 08:24:41: Querying service configuration

2015-04-14 08:24:41: Deleting file \??\C:\Windows\system32\drivers\cbstream.sys

2015-04-14 08:24:41: File Deleted Successfully

2015-04-14 08:24:41: Deleting Service

2015-04-14 08:24:41: Uninstall completed successfully

2015-04-14 08:24:41: Uninstalled Netmon driver

2015-04-14 08:24:41: Unable to launch uninstaller [hr=0x80070005]

2015-04-14 08:24:41: Notifying server of uninstall result - 1 [CoreDrv: 0x00000000

NetMonDrv: 0x00000000

Uninstaller: 0x80070005

]

2015-04-14 08:24:41: Notification of uninstall to server result [hr=0x00000000]

2015-04-14 08:24:41: Service uninstall attempt failed; hr=0x8000ffff

2015-04-14 08:24:41: File store is stopped

2015-04-14 08:24:41: Core Driver IO completed; disconnecting...

2015-04-14 08:24:41: File store is stopped

2015-04-14 08:24:41: Core Driver IO completed; disconnecting...

Another message that may be observed is:

Pid[07DC] Tid[0848] 2017-01-12 14:59:12 CbServer::_Synch : Upgrade attempt completed HrError[0xC0000005]

Cause

The cause is the Bit9 agent Carbon Black tamper protection updater. The Carbon Black directories are included in the tamper protection settings and that includes preventing the Carbon Black server from uninstalling a sensor.

Solution

Steps for Cb Protection 7.x

If the Cb Protection agent is connected and visible in the Console, open the Rules-> Software Rules-> Updaters tab. Locate and Disable the Windows 'Carbon Black Tamper Protection' Updater. This will globally disable the 'Carbon Black Tamper Protection' Updater.

Steps for Cb Protection 8.x

Starting with Cb Protection 8.0, the Cb Tamper Protection Updater was replaced with a Rapid Configuration.  You'll find this in the console by going to Rules > Software Rules > Rapid Configs.  Locate and disable the "Cb Response Tamper Protection" configuration in order to disable tamper for Cb Response sensors.


If the Cb Protection agent is not connected to the server, the following steps can be performed to manually disable the 'Carbon Black Tamper Protection' Updater:


1. Open Command prompt and run the following DASCLI commands

a) dascli password <CLI or GLOBAL password>
b) dascli kernelconfig CarbonBlackTamperProtection 0

2. Complete the Carbon Black sensor uninstall


3. dascli kernelconfig CarbonBlackTamperProtection 1

a) this turns the Bit9 agent CB tamper protection back on

Important Note(s)

Check Bit9 logs to make sure there are tamper protection events being generated for the Carbon Black uninstall agents.

Labels (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎08-28-2015
Views:
5740
Contributors